Trust between Containers

When an enterprise bean is designed so that either the original caller
identity or a designated identity is used to call a target bean, the target
bean will receive the propagated identity only; it will not receive any authentication
data.

There is no way for the target container to authenticate the propagated
security identity. However, because the security identity is used in authorization
checks (for example, method permissions or with the isCallerInRole() method),
it is vitally important that the security identity be authentic. Because there
is no authentication data available to authenticate the propagated identity,
the target must trust that the calling container has propagated an authenticated
security identity.

By default, the Application Server is configured to trust identities that
are propagated from different containers. Therefore, there are no special
steps that you need to take to set up a trust relationship.